EP2681874B1 - Ipsec connection to private networks - Google Patents
Ipsec connection to private networks Download PDFInfo
- Publication number
- EP2681874B1 EP2681874B1 EP12755660.3A EP12755660A EP2681874B1 EP 2681874 B1 EP2681874 B1 EP 2681874B1 EP 12755660 A EP12755660 A EP 12755660A EP 2681874 B1 EP2681874 B1 EP 2681874B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- tenant
- appliance
- secure communication
- data
- tag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 claims description 73
- 238000003860 storage Methods 0.000 claims description 21
- 238000000034 method Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 12
- 230000006855 networking Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 4
- 239000000835 fiber Substances 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 239000003054 catalyst Substances 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 239000002023 wood Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
Definitions
- the present disclosure relates generally to networking systems; in particular, the present disclosure relates to integration of an IPsec connection to private networks.
- a server hosting system provides servers for use by multiple customers, or tenants.
- Computing devices in the server hosting system are located at one or more locations remote from the tenants.
- the computing devices in the server hosting system can be located at a premises occupied by a vendor, or offsite from the vendor.
- Use of server hosting systems is growing in popularity because a server hosting system can enable a tenant to divide the cost of implementing, maintaining, and running servers with other tenants.
- a server provided by a server hosting system is sometimes referred to as a managed server.
- a server hosting system can include a dedicated computing device that exclusively provides an individual managed server for a tenant.
- the server hosting system can include a computing device that provides multiple virtual managed servers.
- each of the virtual managed servers functions like a separate server, even though the virtual managed servers are provided by a single computing device.
- a tenant is able to readily access a managed server in a simple manner, to allow a managed server to approximate the convenience of a local server managed by that tenant.
- Access includes administration of a server hosting system and managed servers included in such a system including adding or deleting managed servers, or controlling access to those managed servers to certain individuals associated with the tenant.
- a tenant should be able to communicate data securely with the server hosting system, and use any off-the-shelf networking devices to accomplish this connection.
- the tenant must be able to identify the particular managed server within the server hosting system that the tenant wishes to access.
- a server hosting system can be secured internally, to protect data exchanged among managed servers.
- the managed servers are virtual managed servers
- multiple tenants may share a set of those virtual managed servers, but those tenants may not be allowed access to each other's data.
- One example of such a server hosting system security arrangement is provided by the Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pennsylvania.
- the tenant is required to install specialized software or use a particular secure appliance as a gateway to gain access to a server hosting system.
- tenants prefer an off-the-shelf networking appliance that allows them to connect to their managed servers at a server hosting system.
- IPsec Internet Protocol Security
- IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data communicated between hosts, gateways, or some combination thereof. IPsec secures IP communication by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between computing systems at the beginning of a communications session and negotiation of cryptographic keys to be used during the session.
- IP addresses can quickly become exhausted, providing an unnecessary limitation on the number of tenants able to connect to a managed server in the server hosting system.
- tenant IP addresses are assigned in an unpredictable fashion. This results in non-contiguous IP addresses and segmentation of the available IP address space.
- tenants are preferably allowed to assign their own IP addresses to managed servers, those tenants may in fact assign the same IP address to different servers, resulting in the case where two tenants may desire to use two different servers with the same IP address.
- IPsec communication packet that identifies the managed server that is the destination of the packet from the tenant.
- this approach requires use of a proprietary addition to the data packet that must be added by a tenant device, and therefore requires that tenants obtain specialized appliances that can handle routing of data packets by applying such tags. For these and other reasons, improvements are desirable.
- LI ERRAN LI ET AL "VSITE: A scalable and secure architecture for seamless L2 enterprise extension in the cloud", SECURE NETWORK PROTOCOLS (NPSEC), 2010 6TH IEEE WORKSHOP ON, IEEE, PISCATAWAY, NJ, USA, 5 October 2010 (2010-10-05), pages 31-36 discloses an end-to-end architecture, called VSITE, for seamless integration of cloud resources into an enterprise's Intranet at layer 2 allowing a cloud provider to carve out its resources to serve multiple enterprises simultaneously while maintaining isolation and security.
- US 2010/257263 A1 discloses to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking.
- WOOD T ET AL "The case for 1-16 enterprise-ready virtual private clouds", INTERNET CITATION, 19 June 2009 (2009-06-19), pages 1-5 , discloses a cloud platform architecture which utilizes virtual private networks to securely and seamlessly link cloud and enterprise sites.
- US 2003/0055933A1 discloses techniques for creation, operation, management, and access control of network-based storage services in customer support operations to provide improved efficiency of the service management tasks used for designing, operating and accounting the robust and profitable network services.
- the present invention is directed to subject-matter as disclosed by the appended claims.
- a server hosting system is disclosed according to claim 1.
- a method of securing communications between a tenant and a server hosting system is disclosed according to claim 11.
- a computer storage medium is disclosed according to claim 13.
- the present disclosure relates to use of an IPsec connection and tenant-dedicated secure communications appliances to route tenant data and access requests to managed servers in a server hosting system that the tenant is authorized to access.
- the tenant systems are not required to specially identify the data transmitted to the server hosting system via the IPsec connection, and therefore each tenant can use industry-standard, lower cost networking equipment.
- This extension of the server hosting system also provides increased flexibility in methods by which tenants can access managed servers.
- Figure 1 is a block diagram illustrating an example embodiment in which multiple tenants 100A, 100B use managed servers 102 provided by a server hosting system 104.
- the tenants 100A and 100B are also referred to herein as the tenants 100.
- the example of Figure 1 shows only two tenants 100 and two managed servers 102, it should be appreciated that additional tenants can use managed servers provided by the server hosting system 104.
- the server hosting system 104 can provide additional managed servers,
- Each of the tenants 100 is an entity.
- the tenants 100 can be various types of entities.
- one or more of the tenants 100 can be business entities, non-profit entities, individual people, government organizations, and so on.
- Each of the tenants 100 is associated with at least one user 106.
- the tenants 100 can be associated with the users 106 in various ways.
- one or more of the users 106 can employees, agents, users, contractors, or customers of the tenants 100.
- the users 106 can have other relationships with the tenants 100.
- the users 106 use computing devices 108.
- the computing devices 108 can be a variety of different types of computing devices.
- the computing devices 108 can be personal computers, laptop computers, handheld computers, tablet computers, smart phones, in-car computers, gaming consoles, television set-top boxes, thin-client computers, and other types of computing devices.
- one or more of the computing devices 108 are of the types described below with regard to Figure 7 .
- the server hosting system 104 includes one or more computing devices.
- the server hosting system 104 can include one or more standalone server devices, blade server devices, data storage devices, personal computers, mainframe computers, routers, switches, intrusion detection devices, firewall devices, bridges, and other types of computing devices.
- one or more of the computing devices in the server hosting system 104 are of the types described below with regard to Figure 7 .
- the computing devices of the server hosting system 104 operate to provide the managed servers 102.
- the computing devices of the server hosting system 104 can operate in various ways to provide the managed servers 102.
- a computing device in the server hosting system 104 can execute computer-executable instructions that cause the computing device to provide one of the managed servers 102.
- a computing device in the server hosting system 104 can include one or more application-specific integrated circuits (ASICs) that operate to provide one of the managed servers 102.
- ASICs application-specific integrated circuits
- single computing devices in the server hosting system 104 can provide multiple ones of the managed servers 102 for use by the same or different ones of the tenants 100.
- the multiple managed servers provided by a single computing device are "virtual" managed servers.
- one of the computing devices in the server hosting system 104 can run VMware® software.
- the VMware® software provides an operating environment in which multiple virtual managed servers run.
- a single computing device of the server hosting system 104 can provide a single one of the managed servers 102 that is dedicated for use by one of the tenants 100.
- a single computing device of the server hosting system 104 can provide two or more of the managed servers 102, each of which is dedicated for use by the same tenant 100, or different tenants.
- each of the managed servers 102 is to be associated to a tenant on a one-to-one or many-to-one basis; a managed server 102 is not, according to the embodiments disclosed herein, assigned to more than one tenant 100.
- the computing devices 108 used by the users 106 communicate with the server hosting system 104 via a communication network 110.
- the communication network 110 can include various types of communication networks.
- the communication network 110 can include the Internet.
- the communication network 110 can include one or more wide-area networks, local-area networks, or other types of networks.
- the communication network 110 can include one or more wired or wireless communication links between computing devices connected to the communication network 110.
- FIG. 2 is a block diagram illustrating details of an example communication interface to a server hosting system 104.
- each of the tenants 100a-b includes a tenant communication appliance, shown as client IPsec appliance 202a, 202b, respectively.
- the client IPsec devices 202a-b can collectively be referred to herein as client IPsec appliances 202.
- the client IPsec appliances 202 are network appliances capable of communicating with remote systems using an IPsec communication protocol. Details regarding the IPsec communication protocol are described in " Security Architecture for the Internet Protocol" published as RFC 4301 , and related protocols, available at www.ietf.org.
- the client IPsec appliances 202 can, in certain embodiments, be generally available networking devices, for example a 5500 series security appliance available from Cisco Systems of San Jose, California. Other types of appliances could be used as well.
- the server hosting system 104 includes a secure communication appliance, shown as cloud IPsec appliance 204, associated with each tenant 100; in the embodiment shown, a first cloud IPsec appliance 204a communicates with a first client IPsec appliance 202a via an IPsec tunnel 205a, for example over the internet. Similarly, a second cloud IPsec appliance 204b communicates with a second client IPsec appliance 202b via a separate IPsec tunnel 205b. Although additional or fewer cloud IPsec appliances 204 could be included in the server hosting system, in the various embodiments described herein at least one cloud IPsec appliance 204 exists and is dedicated to communication with each tenant 100.
- the cloud IPsec appliances 204 can each also be, in certain embodiments, a 5500 series security appliance available from Cisco Systems of San Jose, California. Other types of appliances could be used as well.
- the server hosting system 104 also includes a switch 206 communicatively connected to each of the cloud IPsec appliances 204.
- the switch 206 is a layer 2 switch that collects and routes data (e.g., requests for communication with one or more managed servers) into a cloud 208, which can include any of a variety of layouts of managed servers, for example virtual server systems logically arranged into a plurality of virtual local area networks (VLANs), as discussed below in connection with Figure 3 .
- the switch 206 can be a Catalyst 3560 series switch as provided by Cisco Systems of San Jose, California. Other types of switches could be used as well.
- FIG. 3 is a block diagram illustrating further details of the server hosting system 104.
- the server hosting system 104 includes tenant clouds 300A, 300B, and 300C.
- Tenant clouds 300A, 300B, and 300C are also referred to herein collectively as the tenant clouds 300.
- Each of the tenant clouds 300 is associated with one of the tenants 100.
- it is preferable that one to one mapping of tenants and tenant clouds is maintained.
- the server hosting system 104 shows the server hosting system 104 as including only three tenant clouds, it should be appreciated that the server hosting system 104 can include more or fewer tenant clouds.
- Each of the tenant clouds 300 includes one or more managed servers, such as managed servers 102 of Figure 1 .
- the server hosting system 104 receives a data packet from an external system, for example via an IPsec tunnel 205a or 205b (referred to collectively as IPsec tunnels 205) to a cloud IPsec appliance 204
- the system switch 302 receives the data packet, for example from another switch (such as switch 206 of Figure 2 ) and routes the data packet onto the system VLAN 304.
- the system switch 302 can route data from the system VLAN 304 to outbound portions of the server hosting system 104, for example the switch 206 and cloud IPsec appliances 204a-b of Figure 2 .
- the system switch 302 can be implemented in various ways.
- the system switch 302 can be implemented using a specialized switch device.
- the specialized switch device routes packets in hardware and/or firmware.
- the system switch 302 can be implemented using a computing device that is not a specialized switch device.
- the computing device routes packets using application- or utility-level software.
- FIG. 4 a block diagram illustrating details of a tenant cloud 300, or tenant virtual local area network (“tenant VLAN”) within the server hosting system 104 is shown.
- a tenant cloud connects to the system VLAN 304, and includes a virtual secure gateway (VSG) 402.
- the virtual secure gateway 402 receives data packets destined for one or more managed servers 102 within the tenant cloud 300.
- the virtual secure gateway is assigned an identifier, and receives data packets associated with that identifier, as discussed further in connection with Figure 5 , below.
- the virtual secure gateway 402 also forms a secure communication session between each of the managed servers 102 that are a part of the tenant cloud 300 (as opposed to other tenant clouds associated with different, unaffiliated tenants).
- the one or more managed servers 102 can be virtual systems configured to represent one or more computing systems accessible to a particular tenant, with the tenant associated with a "community" of users capable of accessing the managed servers within the tenant cloud 300.
- the virtual secure gateway 402 shreds and encrypts each data packet received from the system VLAN 304, and recompiles data packets received from the managed servers 104.
- data communication is secure, while communication on the system VLAN 304 can occur in clear text to allow inspection and routing of packets by other infrastructure within the server hosting system 104.
- this shredding and encryption at the virtual secure gateway 402 and managed servers 102 is accomplished using the Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pennsylvania.
- FIG. 5 a block diagram illustrating an example embodiment of an overall network 500 including a server hosting system implementing an IPsec connection is shown, according to a possible embodiment.
- the network 500 illustrates one example layout of the client and server hosting system arrangements of Figures 1-4 , in which usage examples of IPsec connection to a server hosting system can be discussed.
- the network 500 includes a plurality of tenants 100, shown as first and second tenants 100a and 100b, respectively.
- the tenants as previously discussed, include a plurality of users 106 and computing devices 108, and at least one client IPsec appliance 202.
- Each tenant 100 connects to the server hosting system 104 via a network 110, which can be, in various embodiments, an Internet connection, or any other network connection.
- Each client IPsec appliance 202 connects to a cloud IPsec appliance 204, where there is a cloud IPsec appliance dedicated to each tenant.
- the client IPsec appliance can, for example, be preprogrammed to connect only to a particular cloud IPsec appliance 204 at a particular network address.
- the cloud IPsec appliance 204 provides an encryption key to the client IPsec appliance 202, and the appliances 202, 204 form an IPsec tunnel for secure communication between the tenant 100 and the server hosting system 104.
- a switch 502 aggregates and routes data packets passing between the respective cloud IPsec appliance 204 and a VLAN switch 504.
- the switch can, in certain embodiments, be a layer two IP switch.
- the switch 502 can correspond to one or more switches, or a "switch fabric", utilized to route data between cloud IPsec appliances 204 and the VLAN switch 504.
- the VLAN switch 504 is connected between the switch 502 and a plurality of virtual secure gateways 402a-c, which represent access points for corresponding tenant clouds as illustrated in Figure 3 .
- the virtual secure gateways 402a-c each provide access to managed servers 102 (shown by way of example with respect to virtual secure gateway 402a), and routing of packets between clients and respective tenant clouds associated with those clients.
- the virtual secure gateways 402a-c are therefore in this embodiment access points to virtual machines arranged into virtual local area networks (VLANs), such that one or more managed servers 102 are provided in each VLAN.
- VLANs virtual local area networks
- the VLAN switch 504 routes data packets forwarded from the switch 502 to one of a plurality of virtual secure gateways 402a-c, which provide an access point for data destined for a particular virtual machine.
- the VLAN switch 504 can correspond to the system switch 302 of Figure 3 .
- the virtual secure gateways 402a-c represent an entry point into a tenant-specific secure virtual network, or "tenant cloud", for example enabled using Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pennsylvania.
- each virtual secure gateway 402a-c can be identified with a particular gateway identifier, which resultingly identifies the tenant VLAN or cloud accessible by a particular tenant.
- the VLAN switch 504 inspects each data packet received from the switch 502, in particular a tag 510 identifying the destination managed server for the data packet.
- the tag 510 can, in certain embodiments, be applied by the cloud IPsec appliance 204 that receives the packet from a client 100.
- each cloud IPsec appliance 204 applies a same unique tag to each packet it receives from a client, because only one client connects to each IPsec appliance.
- cloud IPsec appliance 204a does not connect to client IPsec appliance 202b
- cloud IPsec appliance 204b does not connect to client IPsec appliance 202a, respectively.
- the switch 502 and VLAN switch 504 can be incorporated into a single device, or multiple switching devices.
- the tag 510 can represent an identity of a virtual secure gateway to which the data packet is destined.
- a cloud IPsec appliance 204a could be configured to apply a tag representing "Virtual Secure Gateway 1" (VSG 506a) to a data packet 510, such that when the packet arrives at the VLAN switch 404, the packet is routed to the VSG identified by the tag, in this case, VSG 506a.
- Data packets routed from the virtual secure gateway can likewise be tagged with the identity of that VSG, such that the VLAN switch 504 and switch 502 is instructed to route those packets to the correct cloud IPsec appliance 204.
- packets tagged "Virtual Secure Gateway 1" from VSG 506a would only be routed to IPsec appliance 204a.
- the tag 510 can be managed by an IPsec appliance 204 and the VLAN switch 504 in accordance with IEEE specification 802.1Q, available at http://standards.ieee.org/.
- a tenant 100 will configure their client IPsec device 202 to identify a particular cloud IPsec appliance 204 to which it will connect. Additionally, the tenant will identify a specific VLAN or group of managed servers that tenant has access to at the server hosting system 104.
- the cloud IPsec appliance 204 will provide to the client IPsec appliance 202 a preshared encryption key used to establish the IPsec tunnel between those devices.
- data can be secured and routed from a tenant to a managed server that the tenant wishes to access.
- a user 106 will at a computing device 108 will request access to a server, for example based on a name of that server or an application stored on the server.
- Authentication of the remote endpoint of an IPsec tunnel uses configuration and a pre-shared secret (key).
- the computing device 108 will form a data packet 510 including a request for access, and forward that request to the client IPsec appliance, e.g. appliance 202a.
- the data packet is transmitted, in encrypted form, over the IPsec tunnel, using encryption methods such as 3DES/SHA1 or other methods.
- the cloud IPsec appliance 204 will receive the data packet 510, and in certain embodiments, apply a tag 512 to the data packet identifying the source (e.g., the tenant) from which the data packet was received.
- cloud IPsec appliance 204a will include a tag identifying tenant 100a, based on the fact that the data packet was received from client IPsec appliance 202a.
- the data packet is then forwarded to switch 502, which passes the packet (along with other aggregated, tagged data packets from other cloud IPsec appliances) to the VLAN switch 504.
- address information in the data packet 510 is examined to determine the intended destination for the data packet.
- the data packet 510 is then forwarded to the VLAN associated with that tenant and which includes the managed server identified by the address in the data packet 510.
- FIG. 6 is a flowchart of a method for communicating between a tenant and a managed server is shown, according to a possible embodiment of the present disclosure.
- the method 600 includes a method of securing communication between the tenant and managed server.
- the method begins at a configuration operation 602, which configures one or more client IPsec appliances 202 and cloud IPsec appliances 204 at one or more tenants 100 and the server hosting system 104, respectively.
- This configuration can include, for example, exchange of an encryption key useable to establish the IPsec tunnel between devices, as well as selecting an encryption algorithm and authentication algorithm for use.
- a data receipt operation 604 corresponds to initial receipt at a cloud IPsec appliance 204 from a client IPsec appliance 202 of data from a tenant 100.
- the data can be a data packet addressed to a particular managed server 102, for example a virtual machine included within a tenant cloud 300 as illustrated in Figure 4 .
- a tagging operation 606 occurs at the cloud IPsec appliance 204, and applies a tag identifying a tenant within the data packet received at that appliance.
- the tag can take a variety of forms, but identifies the tenant within the packet.
- a switch forwarding operation 608 forwards the data packet to a switch (e.g., switch 402 of Figure 4 ), for aggregation with other traffic received from IPsec appliances, and a VLAN switch forwarding operation 610 forwards that traffic, including the data packet, to a VLAN switch, such as the switch 502 of Figure 5 .
- a switch e.g., switch 402 of Figure 4
- VLAN switch forwarding operation 610 forwards that traffic, including the data packet, to a VLAN switch, such as the switch 502 of Figure 5 .
- a secure connection creation operation 612 creates a secure connection between a virtual secure gateway and a managed server to secure data, such as the VSG 402 and managed server 102 of Figure 4 .
- the secure connection creation operation 612 can create a Stealth-enabled tunnel between a VSG and a particular virtual machine, so data exchanged within the tenant cloud cannot be observed by other tenants using the server hosting system 104.
- a managed server forwarding operation 614 occurs at the VLAN switch 504, and includes examination of the data packet and tag to (1) verify the intended destination of the data packet (i.e., the managed server identified by the header address in the data packet) and the identity of the tenant attempting to access that managed server. If the managed server is in a VLAN (tenant cloud) that the tenant is able to access, the data packet forwards the data packet to the identified managed server within the authorized VLAN.
- VLAN tenant cloud
- Figure 7 is a block diagram illustrating an example computing device 700.
- the computing devices 108 and the computing devices in the server hosting system 104 are implemented as one or more computing devices like the computing device 700. It should be appreciated that in other embodiments, the computing devices 108 and computing devices in the server hosting system 104 are implemented using computing devices having hardware components other than those illustrated in the example of Figure 7 .
- Computer readable media may include computer storage media and communication media.
- a computer storage medium is a device or article of manufacture that stores data and/or computer-executable instructions.
- Computer storage media may include volatile and nonvolatile, removable and non-removable devices or articles of manufacture implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
- computer storage media may include dynamic random access memory (DRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), reduced latency DRAM, DDR2 SDRAM, DDR3 SDRAM, solid state memory, read-only memory (ROM), electrically-erasable programmable ROM, optical discs (e.g., CD-ROMs, DVDs, etc.), magnetic disks (e.g., hard disks, floppy disks, etc.), magnetic tapes, and other types of devices and/or articles of manufacture that store data.
- Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and includes any information delivery media.
- modulated data signal may describe a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal.
- communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared, and other wireless media.
- RF radio frequency
- the computing device 700 includes a memory 702, a processing system 704, a secondary storage device 706, a network interface card 708, a video interface 710, a display unit 712, an external component interface 714, and a communication medium 716.
- the memory 702 includes one or more computer storage media capable of storing data and/or instructions.
- the memory 702 is implemented in different ways.
- the memory 702 can be implemented using various types of computer storage media.
- the processing system 704 includes one or more processing units.
- a processing unit is a physical device or article of manufacture comprising one or more integrated circuits that selectively execute software instructions.
- the processing system 704 is implemented in various ways.
- the processing system 704 can be implemented as one or more processing cores.
- the processing system 704 can include one or more separate microprocessors.
- the processing system 704 can include an application-specific integrated circuit (ASIC) that provides specific functionality.
- ASIC application-specific integrated circuit
- the processing system 704 provides specific functionality by using an ASIC and by executing computer-executable instructions.
- the secondary storage device 706 includes one or more computer storage media.
- the secondary storage device 706 stores data and software instructions not directly accessible by the processing system 704.
- the processing system 704 performs an I/O operation to retrieve data and/or software instructions from the secondary storage device 706.
- the secondary storage device 706 includes various types of computer storage media.
- the secondary storage device 706 can include one or more magnetic disks, magnetic tape drives, optical discs, solid state memory devices, and/or other types of computer storage media.
- the network interface card 708 enables the computing device 700 to send data to and receive data from a communication network.
- the network interface card 708 is implemented in different ways.
- the network interface card 708 can be implemented as an Ethernet interface, a token-ring network interface, a fiber optic network interface, a wireless network interface (e.g., WiFi, WiMax, etc.), or another type of network interface.
- the video interface 710 enables the computing device 700 to output video information to the display unit 712.
- the display unit 712 can be various types of devices for displaying video information, such as a cathode-ray tube display, an LCD display panel, a plasma screen display panel, a touch-sensitive display panel, an LED screen, or a projector.
- the video interface 710 can communicate with the display unit 712 in various ways, such as via a Universal Serial Bus (USB) connector, a VGA connector, a digital visual interface (DVI) connector, an S-Video connector, a High-Definition Multimedia Interface (HDMI) interface, or a DisplayPort connector.
- USB Universal Serial Bus
- VGA VGA
- DVI digital visual interface
- S-Video S-Video connector
- HDMI High-Definition Multimedia Interface
- the external component interface 714 enables the computing device 700 to communicate with external devices.
- the external component interface 714 can be a USB interface, a FireWire interface, a serial port interface, a parallel port interface, a PS/2 interface, and/or another type of interface that enables the computing device 700 to communicate with external devices.
- the external component interface 714 enables the computing device 700 to communicate with various external components, such as external storage devices, input devices, speakers, modems, media player docks, other computing devices, scanners, digital cameras, and fingerprint readers.
- the communications medium 716 facilitates communication among the hardware components of the computing device 700.
- the communications medium 716 facilitates communication among the memory 702, the processing system 704, the secondary storage device 706, the network interface card 708, the video interface 710, and the external component interface 714.
- the communications medium 716 can be implemented in various ways.
- the communications medium 716 can include a PCI bus, a PCI Express bus, an accelerated graphics port (AGP) bus, a serial Advanced Technology Attachment (ATA) interconnect, a parallel ATA interconnect, a Fiber Channel interconnect, a USB bus, a Small Computing system Interface (SCSI) interface, or another type of communications medium.
- the memory 702 stores various types of data and/or software instructions.
- the memory 702 stores a Basic Input/Output System (BIOS) 718 and an operating system 720.
- BIOS 718 includes a set of computer-executable instructions that, when executed by the processing system 704, cause the computing device 700 to boot up.
- the operating system 720 includes a set of computer-executable instructions that, when executed by the processing system 704, cause the computing device 700 to provide an operating system that coordinates the activities and sharing of resources of the computing device 700.
- the memory 702 stores application software 722.
- the application software 722 includes computer-executable instructions, that when executed by the processing system 704, cause the computing device 700 to provide one or more applications.
- the memory 702 also stores program data 724.
- the program data 724 is data used by programs that execute on the computing device 700.
- tenant systems are not required to specially identify the data transmitted to the server hosting system via the IPsec connection, and therefore each tenant can use industry-standard, lower cost networking equipment.
- cloud IPsec appliances as recited herein only are required to apply a single tag to the data packets received, since they are dedicated to a particular tenant.
- use of IPsec appliances provides a further way in which tenants can access managed servers in the server hosting system, thereby providing increased flexibility in connection methods. Additional advantages exist as well.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Description
- The present disclosure relates generally to networking systems; in particular, the present disclosure relates to integration of an IPsec connection to private networks.
- A server hosting system provides servers for use by multiple customers, or tenants. Computing devices in the server hosting system are located at one or more locations remote from the tenants. For instance, the computing devices in the server hosting system can be located at a premises occupied by a vendor, or offsite from the vendor. Use of server hosting systems is growing in popularity because a server hosting system can enable a tenant to divide the cost of implementing, maintaining, and running servers with other tenants.
- A server provided by a server hosting system is sometimes referred to as a managed server. A server hosting system can include a dedicated computing device that exclusively provides an individual managed server for a tenant. Alternatively, the server hosting system can include a computing device that provides multiple virtual managed servers. In this alternative scenario, each of the virtual managed servers functions like a separate server, even though the virtual managed servers are provided by a single computing device.
- Preferably, a tenant is able to readily access a managed server in a simple manner, to allow a managed server to approximate the convenience of a local server managed by that tenant. Access, in this context, includes administration of a server hosting system and managed servers included in such a system including adding or deleting managed servers, or controlling access to those managed servers to certain individuals associated with the tenant. To do so, a tenant should be able to communicate data securely with the server hosting system, and use any off-the-shelf networking devices to accomplish this connection. Additionally, the tenant must be able to identify the particular managed server within the server hosting system that the tenant wishes to access.
- In some cases, a server hosting system can be secured internally, to protect data exchanged among managed servers. For example, in the case where the managed servers are virtual managed servers, multiple tenants may share a set of those virtual managed servers, but those tenants may not be allowed access to each other's data. One example of such a server hosting system security arrangement is provided by the Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pennsylvania. However, to integrate this data parsing technology at a tenant, the tenant is required to install specialized software or use a particular secure appliance as a gateway to gain access to a server hosting system. In some circumstances, tenants prefer an off-the-shelf networking appliance that allows them to connect to their managed servers at a server hosting system.
- One method by which secured communication can be provided is through use of the Internet Protocol Security (IPsec) protocol suite. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data communicated between hosts, gateways, or some combination thereof. IPsec secures IP communication by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between computing systems at the beginning of a communications session and negotiation of cryptographic keys to be used during the session.
- Typically, to allow tenants to access managed servers, those tenants would be assigned a set of contiguous IP addresses, such that the server hosting system receiving data packets from a variety of tenants could use subnetting to determine the specific destination managed server for data received from a tenant. However, in these situations, IP addresses can quickly become exhausted, providing an unnecessary limitation on the number of tenants able to connect to a managed server in the server hosting system. Also, because, tenants are allowed to dynamically add and delete servers, server IP addresses are assigned in an unpredictable fashion. This results in non-contiguous IP addresses and segmentation of the available IP address space. Furthermore, because tenants are preferably allowed to assign their own IP addresses to managed servers, those tenants may in fact assign the same IP address to different servers, resulting in the case where two tenants may desire to use two different servers with the same IP address.
- Other arrangements use a tag in the IPsec communication packet that identifies the managed server that is the destination of the packet from the tenant. However, this approach requires use of a proprietary addition to the data packet that must be added by a tenant device, and therefore requires that tenants obtain specialized appliances that can handle routing of data packets by applying such tags. For these and other reasons, improvements are desirable.
- LI ERRAN LI ET AL: "VSITE: A scalable and secure architecture for seamless L2 enterprise extension in the cloud", SECURE NETWORK PROTOCOLS (NPSEC), 2010 6TH IEEE WORKSHOP ON, IEEE, PISCATAWAY, NJ, USA, 5 October 2010 (2010-10-05), pages 31-36 discloses an end-to-end architecture, called VSITE, for seamless integration of cloud resources into an enterprise's Intranet at
layer 2 allowing a cloud provider to carve out its resources to serve multiple enterprises simultaneously while maintaining isolation and security. -
US 2010/257263 A1 discloses to a virtual platform in which one or more distributed virtual switches can be created for use in virtual networking. - WOOD T ET AL: "The case for 1-16 enterprise-ready virtual private clouds", INTERNET CITATION, 19 June 2009 (2009-06-19), pages 1-5, discloses a cloud platform architecture which utilizes virtual private networks to securely and seamlessly link cloud and enterprise sites.
-
US 2003/0055933A1 discloses techniques for creation, operation, management, and access control of network-based storage services in customer support operations to provide improved efficiency of the service management tasks used for designing, operating and accounting the robust and profitable network services. - The present invention is directed to subject-matter as disclosed by the appended claims.
- In a first aspect, a server hosting system is disclosed according to
claim 1. - In a second aspect, a method of securing communications between a tenant and a server hosting system is disclosed according to claim 11.
- In a third aspect, a computer storage medium is disclosed according to claim 13.
-
-
Figure 1 is a block diagram illustrating an example embodiment in which multiple tenants use managed servers provided by a server hosting system; -
Figure 2 is a block diagram illustrating example details of an example communication interface to a server hosting system; -
Figure 3 is a block diagram illustrating further example details of the server hosting system; -
Figure 4 is a block diagram illustrating example details of a tenant cloud within the server hosting system;Figure 5 is a block diagram illustrating an example embodiment of a server hosting system implementing an IPsec connection, according to a possible embodiment; -
Figure 6 is a flowchart of a method for securing communications between a tenant and a managed server, according to a possible embodiment; -
Figure 7 is a block diagram illustrating example physical details of an electronic computing device, with which aspects of the present disclosure can be implemented. - Various embodiments of the present invention will be described in detail with reference to the drawings, wherein like reference numerals represent like parts and assemblies throughout the several views. Reference to various embodiments does not limit the scope of the invention, which is limited only by the scope of the claims attached hereto. Additionally, any examples set forth in this specification are not intended to be limiting and merely set forth some of the many possible embodiments for the claimed invention.
- The logical operations of the various embodiments of the disclosure described herein are implemented as: (1) a sequence of computer implemented steps, operations, or procedures running on a programmable circuit within a computer, and/or (2) a sequence of computer implemented steps, operations, or procedures running on a programmable circuit within a directory system, database, or compiler.
- In general, the present disclosure relates to use of an IPsec connection and tenant-dedicated secure communications appliances to route tenant data and access requests to managed servers in a server hosting system that the tenant is authorized to access. By using dedicated appliances per tenant within the server hosting system, the tenant systems are not required to specially identify the data transmitted to the server hosting system via the IPsec connection, and therefore each tenant can use industry-standard, lower cost networking equipment. This extension of the server hosting system also provides increased flexibility in methods by which tenants can access managed servers.
-
Figure 1 is a block diagram illustrating an example embodiment in whichmultiple tenants servers 102 provided by aserver hosting system 104. Thetenants tenants 100. Although the example ofFigure 1 shows only twotenants 100 and two managedservers 102, it should be appreciated that additional tenants can use managed servers provided by theserver hosting system 104. Theserver hosting system 104 can provide additional managed servers, - Each of the
tenants 100 is an entity. Thetenants 100 can be various types of entities. For example, one or more of thetenants 100 can be business entities, non-profit entities, individual people, government organizations, and so on. Each of thetenants 100 is associated with at least oneuser 106. Thetenants 100 can be associated with theusers 106 in various ways. For example, one or more of theusers 106 can employees, agents, users, contractors, or customers of thetenants 100. In other examples, theusers 106 can have other relationships with thetenants 100. - The
users 106use computing devices 108. Thecomputing devices 108 can be a variety of different types of computing devices. For example, thecomputing devices 108 can be personal computers, laptop computers, handheld computers, tablet computers, smart phones, in-car computers, gaming consoles, television set-top boxes, thin-client computers, and other types of computing devices. In some embodiments, one or more of thecomputing devices 108 are of the types described below with regard toFigure 7 . - The
server hosting system 104 includes one or more computing devices. For example, theserver hosting system 104 can include one or more standalone server devices, blade server devices, data storage devices, personal computers, mainframe computers, routers, switches, intrusion detection devices, firewall devices, bridges, and other types of computing devices. In some embodiments, one or more of the computing devices in theserver hosting system 104 are of the types described below with regard toFigure 7 . - The computing devices of the
server hosting system 104 operate to provide the managedservers 102. The computing devices of theserver hosting system 104 can operate in various ways to provide the managedservers 102. For example, a computing device in theserver hosting system 104 can execute computer-executable instructions that cause the computing device to provide one of the managedservers 102. In another example, a computing device in theserver hosting system 104 can include one or more application-specific integrated circuits (ASICs) that operate to provide one of the managedservers 102. - In some embodiments, single computing devices in the
server hosting system 104 can provide multiple ones of the managedservers 102 for use by the same or different ones of thetenants 100. In this case, the multiple managed servers provided by a single computing device are "virtual" managed servers. For example, one of the computing devices in theserver hosting system 104 can run VMware® software. In this example, the VMware® software provides an operating environment in which multiple virtual managed servers run. In some embodiments, a single computing device of theserver hosting system 104 can provide a single one of the managedservers 102 that is dedicated for use by one of thetenants 100. In other embodiments, a single computing device of theserver hosting system 104 can provide two or more of the managedservers 102, each of which is dedicated for use by thesame tenant 100, or different tenants. However, it is recognized that each of the managedservers 102 is to be associated to a tenant on a one-to-one or many-to-one basis; a managedserver 102 is not, according to the embodiments disclosed herein, assigned to more than onetenant 100. - The
computing devices 108 used by theusers 106 communicate with theserver hosting system 104 via acommunication network 110. Thecommunication network 110 can include various types of communication networks. For example, thecommunication network 110 can include the Internet. In another example, thecommunication network 110 can include one or more wide-area networks, local-area networks, or other types of networks. Thecommunication network 110 can include one or more wired or wireless communication links between computing devices connected to thecommunication network 110. -
Figure 2 is a block diagram illustrating details of an example communication interface to aserver hosting system 104. In this embodiment, each of the tenants 100a-b includes a tenant communication appliance, shown asclient IPsec appliance client IPsec devices 202a-b can collectively be referred to herein as client IPsec appliances 202. The client IPsec appliances 202 are network appliances capable of communicating with remote systems using an IPsec communication protocol. Details regarding the IPsec communication protocol are described in "Security Architecture for the Internet Protocol" published as RFC 4301, and related protocols, available at www.ietf.org. The client IPsec appliances 202 can, in certain embodiments, be generally available networking devices, for example a 5500 series security appliance available from Cisco Systems of San Jose, California. Other types of appliances could be used as well. - The
server hosting system 104 includes a secure communication appliance, shown ascloud IPsec appliance 204, associated with eachtenant 100; in the embodiment shown, a first cloud IPsec appliance 204a communicates with a firstclient IPsec appliance 202a via anIPsec tunnel 205a, for example over the internet. Similarly, a secondcloud IPsec appliance 204b communicates with a secondclient IPsec appliance 202b via aseparate IPsec tunnel 205b. Although additional or fewercloud IPsec appliances 204 could be included in the server hosting system, in the various embodiments described herein at least onecloud IPsec appliance 204 exists and is dedicated to communication with eachtenant 100. Thecloud IPsec appliances 204 can each also be, in certain embodiments, a 5500 series security appliance available from Cisco Systems of San Jose, California. Other types of appliances could be used as well. - The
server hosting system 104 also includes a switch 206 communicatively connected to each of thecloud IPsec appliances 204. The switch 206 is alayer 2 switch that collects and routes data (e.g., requests for communication with one or more managed servers) into acloud 208, which can include any of a variety of layouts of managed servers, for example virtual server systems logically arranged into a plurality of virtual local area networks (VLANs), as discussed below in connection withFigure 3 . In certain embodiments, the switch 206 can be a Catalyst 3560 series switch as provided by Cisco Systems of San Jose, California. Other types of switches could be used as well. -
Figure 3 is a block diagram illustrating further details of theserver hosting system 104. As illustrated in the example ofFigure 3 , theserver hosting system 104 includes tenant clouds 300A, 300B, and 300C. Tenant clouds 300A, 300B, and 300C are also referred to herein collectively as the tenant clouds 300. Each of the tenant clouds 300 is associated with one of thetenants 100. As illustrated inFigure 3 , it is preferable that one to one mapping of tenants and tenant clouds is maintained. Although the example ofFigure 3 shows theserver hosting system 104 as including only three tenant clouds, it should be appreciated that theserver hosting system 104 can include more or fewer tenant clouds. - Each of the tenant clouds 300 includes one or more managed servers, such as managed
servers 102 ofFigure 1 . When theserver hosting system 104 receives a data packet from an external system, for example via anIPsec tunnel cloud IPsec appliance 204, the system switch 302 receives the data packet, for example from another switch (such as switch 206 ofFigure 2 ) and routes the data packet onto thesystem VLAN 304. Furthermore, the system switch 302 can route data from thesystem VLAN 304 to outbound portions of theserver hosting system 104, for example the switch 206 and cloud IPsec appliances 204a-b ofFigure 2 . In various embodiments, the system switch 302 can be implemented in various ways. For example, the system switch 302 can be implemented using a specialized switch device. In this example, the specialized switch device routes packets in hardware and/or firmware. In another example, the system switch 302 can be implemented using a computing device that is not a specialized switch device. In this example, the computing device routes packets using application- or utility-level software. - Referring now to
Figure 4 , a block diagram illustrating details of atenant cloud 300, or tenant virtual local area network ("tenant VLAN") within theserver hosting system 104 is shown. As shown inFigure 4 , a tenant cloud connects to thesystem VLAN 304, and includes a virtual secure gateway (VSG) 402. The virtualsecure gateway 402 receives data packets destined for one or more managedservers 102 within thetenant cloud 300. In certain embodiments, the virtual secure gateway is assigned an identifier, and receives data packets associated with that identifier, as discussed further in connection withFigure 5 , below. - The virtual
secure gateway 402 also forms a secure communication session between each of the managedservers 102 that are a part of the tenant cloud 300 (as opposed to other tenant clouds associated with different, unaffiliated tenants). In this embodiment, the one or more managedservers 102 can be virtual systems configured to represent one or more computing systems accessible to a particular tenant, with the tenant associated with a "community" of users capable of accessing the managed servers within thetenant cloud 300. - In some embodiments, the virtual
secure gateway 402 shreds and encrypts each data packet received from thesystem VLAN 304, and recompiles data packets received from the managedservers 104. As such, within the tenant cloud, data communication is secure, while communication on thesystem VLAN 304 can occur in clear text to allow inspection and routing of packets by other infrastructure within theserver hosting system 104. In some embodiments, this shredding and encryption at the virtualsecure gateway 402 and managedservers 102 is accomplished using the Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pennsylvania. - Referring now to
Figure 5 , a block diagram illustrating an example embodiment of an overall network 500 including a server hosting system implementing an IPsec connection is shown, according to a possible embodiment. The network 500 illustrates one example layout of the client and server hosting system arrangements ofFigures 1-4 , in which usage examples of IPsec connection to a server hosting system can be discussed. The network 500 includes a plurality oftenants 100, shown as first and second tenants 100a and 100b, respectively. The tenants, as previously discussed, include a plurality ofusers 106 andcomputing devices 108, and at least one client IPsec appliance 202. Eachtenant 100 connects to theserver hosting system 104 via anetwork 110, which can be, in various embodiments, an Internet connection, or any other network connection. Each client IPsec appliance 202 connects to acloud IPsec appliance 204, where there is a cloud IPsec appliance dedicated to each tenant. The client IPsec appliance can, for example, be preprogrammed to connect only to a particularcloud IPsec appliance 204 at a particular network address. Thecloud IPsec appliance 204 provides an encryption key to the client IPsec appliance 202, and theappliances 202, 204 form an IPsec tunnel for secure communication between thetenant 100 and theserver hosting system 104. - A switch 502 aggregates and routes data packets passing between the respective
cloud IPsec appliance 204 and aVLAN switch 504. The switch can, in certain embodiments, be a layer two IP switch. In various embodiments, the switch 502 can correspond to one or more switches, or a "switch fabric", utilized to route data betweencloud IPsec appliances 204 and theVLAN switch 504. - The
VLAN switch 504 is connected between the switch 502 and a plurality of virtual secure gateways 402a-c, which represent access points for corresponding tenant clouds as illustrated inFigure 3 . In this embodiment, the virtual secure gateways 402a-c each provide access to managed servers 102 (shown by way of example with respect to virtual secure gateway 402a), and routing of packets between clients and respective tenant clouds associated with those clients. The virtual secure gateways 402a-c are therefore in this embodiment access points to virtual machines arranged into virtual local area networks (VLANs), such that one or more managedservers 102 are provided in each VLAN. The VLAN switch 504 routes data packets forwarded from the switch 502 to one of a plurality of virtual secure gateways 402a-c, which provide an access point for data destined for a particular virtual machine. In certain embodiments, theVLAN switch 504 can correspond to the system switch 302 ofFigure 3 . - In certain embodiments, the virtual secure gateways 402a-c represent an entry point into a tenant-specific secure virtual network, or "tenant cloud", for example enabled using Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pennsylvania. As previously mentioned, each virtual secure gateway 402a-c can be identified with a particular gateway identifier, which resultingly identifies the tenant VLAN or cloud accessible by a particular tenant.
- In certain embodiments, the
VLAN switch 504 inspects each data packet received from the switch 502, in particular atag 510 identifying the destination managed server for the data packet. Thetag 510 can, in certain embodiments, be applied by thecloud IPsec appliance 204 that receives the packet from aclient 100. As such, eachcloud IPsec appliance 204 applies a same unique tag to each packet it receives from a client, because only one client connects to each IPsec appliance. For example, in the illustration ofFigure 5 , cloud IPsec appliance 204a does not connect toclient IPsec appliance 202b, andcloud IPsec appliance 204b does not connect toclient IPsec appliance 202a, respectively. In some embodiments, the switch 502 andVLAN switch 504 can be incorporated into a single device, or multiple switching devices. - In an example embodiment, the
tag 510 can represent an identity of a virtual secure gateway to which the data packet is destined. For example, a cloud IPsec appliance 204a could be configured to apply a tag representing "VirtualSecure Gateway 1" (VSG 506a) to adata packet 510, such that when the packet arrives at the VLAN switch 404, the packet is routed to the VSG identified by the tag, in this case,VSG 506a. Data packets routed from the virtual secure gateway can likewise be tagged with the identity of that VSG, such that theVLAN switch 504 and switch 502 is instructed to route those packets to the correctcloud IPsec appliance 204. Continuing the above example, packets tagged "VirtualSecure Gateway 1" fromVSG 506a would only be routed to IPsec appliance 204a. - In some embodiments, the
tag 510 can be managed by anIPsec appliance 204 and theVLAN switch 504 in accordance with IEEE specification 802.1Q, available at http://standards.ieee.org/. - In the embodiment shown, a
tenant 100 will configure their client IPsec device 202 to identify a particularcloud IPsec appliance 204 to which it will connect. Additionally, the tenant will identify a specific VLAN or group of managed servers that tenant has access to at theserver hosting system 104. Thecloud IPsec appliance 204 will provide to theclient IPsec appliance 202 a preshared encryption key used to establish the IPsec tunnel between those devices. Through use of the dedicatedcloud IPsec appliance 204 for each tenant anddedicated VSGs 402 for each tenant cloud, data can be secured and routed from a tenant to a managed server that the tenant wishes to access. - In one possible example data flow illustrating a
data packet 510 traveling from atenant 100 to a managed server 102 (e.g., as a request for access to data or computing resources of that managed server), auser 106 will at acomputing device 108 will request access to a server, for example based on a name of that server or an application stored on the server. Authentication of the remote endpoint of an IPsec tunnel uses configuration and a pre-shared secret (key). Thecomputing device 108 will form adata packet 510 including a request for access, and forward that request to the client IPsec appliance,e.g. appliance 202a. Once a tunnel is established, the data packet is transmitted, in encrypted form, over the IPsec tunnel, using encryption methods such as 3DES/SHA1 or other methods. - The
cloud IPsec appliance 204 will receive thedata packet 510, and in certain embodiments, apply atag 512 to the data packet identifying the source (e.g., the tenant) from which the data packet was received. For example, in the embodiment ofFigure 5 , cloud IPsec appliance 204a will include a tag identifying tenant 100a, based on the fact that the data packet was received fromclient IPsec appliance 202a. The data packet is then forwarded to switch 502, which passes the packet (along with other aggregated, tagged data packets from other cloud IPsec appliances) to theVLAN switch 504. - At the
VLAN switch 504, address information in thedata packet 510 is examined to determine the intended destination for the data packet. Thedata packet 510 is then forwarded to the VLAN associated with that tenant and which includes the managed server identified by the address in thedata packet 510. -
Figure 6 is a flowchart of a method for communicating between a tenant and a managed server is shown, according to a possible embodiment of the present disclosure. Themethod 600 includes a method of securing communication between the tenant and managed server. - As illustrated, the method begins at a
configuration operation 602, which configures one or more client IPsec appliances 202 andcloud IPsec appliances 204 at one ormore tenants 100 and theserver hosting system 104, respectively. This configuration can include, for example, exchange of an encryption key useable to establish the IPsec tunnel between devices, as well as selecting an encryption algorithm and authentication algorithm for use. - A
data receipt operation 604 corresponds to initial receipt at acloud IPsec appliance 204 from a client IPsec appliance 202 of data from atenant 100. The data can be a data packet addressed to a particular managedserver 102, for example a virtual machine included within atenant cloud 300 as illustrated inFigure 4 . - A tagging
operation 606 occurs at thecloud IPsec appliance 204, and applies a tag identifying a tenant within the data packet received at that appliance. The tag can take a variety of forms, but identifies the tenant within the packet. - A
switch forwarding operation 608 forwards the data packet to a switch (e.g., switch 402 ofFigure 4 ), for aggregation with other traffic received from IPsec appliances, and a VLANswitch forwarding operation 610 forwards that traffic, including the data packet, to a VLAN switch, such as the switch 502 ofFigure 5 . - A secure
connection creation operation 612 creates a secure connection between a virtual secure gateway and a managed server to secure data, such as theVSG 402 and managedserver 102 ofFigure 4 . For example, the secureconnection creation operation 612 can create a Stealth-enabled tunnel between a VSG and a particular virtual machine, so data exchanged within the tenant cloud cannot be observed by other tenants using theserver hosting system 104. - A managed
server forwarding operation 614 occurs at theVLAN switch 504, and includes examination of the data packet and tag to (1) verify the intended destination of the data packet (i.e., the managed server identified by the header address in the data packet) and the identity of the tenant attempting to access that managed server. If the managed server is in a VLAN (tenant cloud) that the tenant is able to access, the data packet forwards the data packet to the identified managed server within the authorized VLAN. -
Figure 7 is a block diagram illustrating anexample computing device 700. In some embodiments, thecomputing devices 108 and the computing devices in theserver hosting system 104 are implemented as one or more computing devices like thecomputing device 700. It should be appreciated that in other embodiments, thecomputing devices 108 and computing devices in theserver hosting system 104 are implemented using computing devices having hardware components other than those illustrated in the example ofFigure 7 . - The term computer readable media as used herein may include computer storage media and communication media. As used in this document, a computer storage medium is a device or article of manufacture that stores data and/or computer-executable instructions. Computer storage media may include volatile and nonvolatile, removable and non-removable devices or articles of manufacture implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. By way of example, and not limitation, computer storage media may include dynamic random access memory (DRAM), double data rate synchronous dynamic random access memory (DDR SDRAM), reduced latency DRAM, DDR2 SDRAM, DDR3 SDRAM, solid state memory, read-only memory (ROM), electrically-erasable programmable ROM, optical discs (e.g., CD-ROMs, DVDs, etc.), magnetic disks (e.g., hard disks, floppy disks, etc.), magnetic tapes, and other types of devices and/or articles of manufacture that store data. Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and includes any information delivery media. The term "modulated data signal" may describe a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), infrared, and other wireless media.
- In the example of
Figure 7 , thecomputing device 700 includes amemory 702, aprocessing system 704, asecondary storage device 706, anetwork interface card 708, avideo interface 710, adisplay unit 712, anexternal component interface 714, and acommunication medium 716. Thememory 702 includes one or more computer storage media capable of storing data and/or instructions. In different embodiments, thememory 702 is implemented in different ways. For example, thememory 702 can be implemented using various types of computer storage media. - The
processing system 704 includes one or more processing units. A processing unit is a physical device or article of manufacture comprising one or more integrated circuits that selectively execute software instructions. In various embodiments, theprocessing system 704 is implemented in various ways. For example, theprocessing system 704 can be implemented as one or more processing cores. In another example, theprocessing system 704 can include one or more separate microprocessors. In yet another example embodiment, theprocessing system 704 can include an application-specific integrated circuit (ASIC) that provides specific functionality. In yet another example, theprocessing system 704 provides specific functionality by using an ASIC and by executing computer-executable instructions. - The
secondary storage device 706 includes one or more computer storage media. Thesecondary storage device 706 stores data and software instructions not directly accessible by theprocessing system 704. In other words, theprocessing system 704 performs an I/O operation to retrieve data and/or software instructions from thesecondary storage device 706. In various embodiments, thesecondary storage device 706 includes various types of computer storage media. For example, thesecondary storage device 706 can include one or more magnetic disks, magnetic tape drives, optical discs, solid state memory devices, and/or other types of computer storage media. - The
network interface card 708 enables thecomputing device 700 to send data to and receive data from a communication network. In different embodiments, thenetwork interface card 708 is implemented in different ways. For example, thenetwork interface card 708 can be implemented as an Ethernet interface, a token-ring network interface, a fiber optic network interface, a wireless network interface (e.g., WiFi, WiMax, etc.), or another type of network interface. - The
video interface 710 enables thecomputing device 700 to output video information to thedisplay unit 712. Thedisplay unit 712 can be various types of devices for displaying video information, such as a cathode-ray tube display, an LCD display panel, a plasma screen display panel, a touch-sensitive display panel, an LED screen, or a projector. Thevideo interface 710 can communicate with thedisplay unit 712 in various ways, such as via a Universal Serial Bus (USB) connector, a VGA connector, a digital visual interface (DVI) connector, an S-Video connector, a High-Definition Multimedia Interface (HDMI) interface, or a DisplayPort connector. - The
external component interface 714 enables thecomputing device 700 to communicate with external devices. For example, theexternal component interface 714 can be a USB interface, a FireWire interface, a serial port interface, a parallel port interface, a PS/2 interface, and/or another type of interface that enables thecomputing device 700 to communicate with external devices. In various embodiments, theexternal component interface 714 enables thecomputing device 700 to communicate with various external components, such as external storage devices, input devices, speakers, modems, media player docks, other computing devices, scanners, digital cameras, and fingerprint readers. - The
communications medium 716 facilitates communication among the hardware components of thecomputing device 700. In the example ofFigure 7 , thecommunications medium 716 facilitates communication among thememory 702, theprocessing system 704, thesecondary storage device 706, thenetwork interface card 708, thevideo interface 710, and theexternal component interface 714. Thecommunications medium 716 can be implemented in various ways. For example, thecommunications medium 716 can include a PCI bus, a PCI Express bus, an accelerated graphics port (AGP) bus, a serial Advanced Technology Attachment (ATA) interconnect, a parallel ATA interconnect, a Fiber Channel interconnect, a USB bus, a Small Computing system Interface (SCSI) interface, or another type of communications medium. - The
memory 702 stores various types of data and/or software instructions. For instance, in the example ofFigure 7 , thememory 702 stores a Basic Input/Output System (BIOS) 718 and anoperating system 720. TheBIOS 718 includes a set of computer-executable instructions that, when executed by theprocessing system 704, cause thecomputing device 700 to boot up. Theoperating system 720 includes a set of computer-executable instructions that, when executed by theprocessing system 704, cause thecomputing device 700 to provide an operating system that coordinates the activities and sharing of resources of thecomputing device 700. Furthermore, thememory 702stores application software 722. Theapplication software 722 includes computer-executable instructions, that when executed by theprocessing system 704, cause thecomputing device 700 to provide one or more applications. Thememory 702 also storesprogram data 724. Theprogram data 724 is data used by programs that execute on thecomputing device 700. - Overall, a number of advantages of the methods and systems of the present disclosure exist. For example, tenant systems are not required to specially identify the data transmitted to the server hosting system via the IPsec connection, and therefore each tenant can use industry-standard, lower cost networking equipment. Additionally, the cloud IPsec appliances as recited herein only are required to apply a single tag to the data packets received, since they are dedicated to a particular tenant. Furthermore, use of IPsec appliances provides a further way in which tenants can access managed servers in the server hosting system, thereby providing increased flexibility in connection methods. Additional advantages exist as well.
- The various embodiments described above are provided by way of illustration only and should not be construed as limiting. Those skilled in the art will readily recognize various modifications and changes that may be made without following the example embodiments and applications illustrated and described herein. For example, the operations shown in the figures are merely examples. In various embodiments, similar operations can include more or fewer steps than those shown in the figures. Furthermore, in other embodiments, similar operations can include the steps of the operations shown in the figures in different orders. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (13)
- A server hosting system (104) comprising:a plurality of managed servers (102);a first secure communication appliance (204a) configured to connect to a tenant appliance (202a) at a first tenant (100A) using a first IPsec tunnel (205a), the first secure communication appliance (204a) further configured to route data (510) between a first managed server (102) of the plurality of managed servers (102) and the tenant appliance (202a) at the first tenant (100A), the first managed server (102) associated with the first tenant (100A);a second secure communication appliance (204b) configured to connect to a tenant appliance (202b) at a second tenant (100B) using a second IPsec tunnel (205b), the second secure communication appliance (204b) further configured to route data (510) between a second managed server (102) of the plurality of managed servers (102) and the tenant appliance (202b) at the second tenant (100B), the second managed server (102) associated with the second tenant (100B); anda switch (504) communicatively connected to the first and second secure communication appliances (204a, 204b);wherein the first secure communication appliance (204a) is configured to apply a first tag (512) to data (510) received from the tenant appliance (202a) at the first tenant (100A) identifying the first tenant (100A), and wherein the second secure communication appliance (202b) is configured to apply a second tag (512) to data (510) received from the tenant appliance (202b) at the second tenant (100B) identifying the second tenant (100B);wherein the second secure communication appliance (204b) does not communicate with the tenant appliance (202a) at the first tenant (100A), and the first secure communication appliance (204a) does not communicate with the tenant appliance (202b) at the second tenant (100B); andwherein the switch (504) is configured to route data (510) from the first secure communication appliance (204a) to the first managed server (102) based at least in part on the first tag (512) identifying the first tenant (100A) and to route data (510) from the second secure communication appliance (204b) to the second managed server (102) based at least in part on the second tag (512) identifying the second tenant (100B).
- The server hosting system of claim 1, wherein at least one of the first and second managed servers (102) is assigned a tenant virtual local area network, VLAN.
- The server hosting system of claim 1, wherein the first tag (512) identifies a virtual secure gateway (506a) associated with the first tenant (100A), and the second tag (512) identifies a second virtual secure gateway (506b) associated with a second tenant (100B).
- The server hosting system of claim 3, wherein the first virtual secure gateway (506a) is configured to establish a secure communication connection with at least the first managed server (102), and wherein the second virtual secure gateway (506b) is configured to establish a secure communication connection with at least the second managed server (102).
- The server hosting system of claim 4, wherein the secure communication session comprises a Stealth-enabled encrypted communication session.
- The server hosting system of claim 1, wherein the switch (504) is a virtual local area network, VLAN, switch.
- The server hosting system of claim 6, further comprising a second switch (502) communicatively connecting the VLAN switch (504) to the first and second secure communication appliances (204a, 204b).
- The server hosting system of claim 1, wherein the IPsec tunnel (205a) between the first secure communication appliance (204a) and the tenant appliance (202a) at the first tenant (100A) is created using a key shared for authentication and data is encrypted using configured encryption methods with the tenant appliance (202a) at the first tenant (100A) from the first secure communication appliance (204a).
- The server hosting system of claim 1, wherein at least one of the first and second managed servers (102) comprises a virtual machine.
- The server hosting system of claim 9, wherein the first and second managed servers (102) each comprise a different virtual machine, and wherein the first and second managed servers (102) execute on a common computing device.
- A method of securing communications between a tenant (100A) and a server hosting system (104), the method comprising:receiving data at a first secure communication appliance (204a) from a tenant appliance (202a) at a first tenant (100A);applying a first tag (512) to the data (510) at the first secure communication appliance (204a), the first tag (512) identifying the first tenant (100A) as the source of the data (510);forwarding, by way of a switch (504), the data (510) including the first tag (512) to a first managed server (102) associated with the first tenant (100A) based at least in part on the first tag (512) identifying the first tenant (100A);receiving data (510) at a second secure communication appliance (204b) from a tenant appliance (202b) at a second tenant (100B) separate from the first tenant (100A);applying a second tag (512) to the data (510) at the second secure communication appliance (204b), the second tag (512) identifying the second tenant (100B) as the source of the data (510); andforwarding, by way of the switch (504), the data (510) including the second tag (512) to a second managed server (102) associated with the second tenant (100B) based at least in part on the second tag (512) identifying the second tenant (100B);wherein the second secure communication appliance (204b) does not communicate with the tenant appliance (202a) at the first tenant (100A) and the first secure communication appliance (204a) does not communicate with the tenant appliance (202b) at the second tenant (100B).
- The method of claim 11, wherein the first and second managed servers (102) each comprise a different virtual machine, and wherein the first and second managed servers execute on a common computing device.
- A computer storage medium comprising computer-executable instructions, which when executed on a computing device, cause a server hosting system (104) to secure communications between the server hosting system (104) and at least first and second tenants (100A, 100b) by:receiving data at a first secure communication appliance (204a) from a tenant appliance (202a) at a first tenant (100A);applying a first tag (512) to the data (510) at the first secure communication appliance (204a), the first tag (512) identifying the first tenant (100A) as the source of the data (510);forwarding, by way of a switch (504), the data (510) including the first tag (512) to a first managed server (102) associated with the first tenant (100A) based at least in part on the first tag (512) identifying the first tenant (100A);receiving data (510) at a second secure communication appliance (204b) from a tenant appliance (202b) at a second tenant (100B) separate from the first tenant (100A);applying a second tag (512) to the data (510) at the second secure communication appliance (204b), the second tag (512) identifying the second tenant (100B) as the source of the data (510); andforwarding, by way of the switch (504), the data (510) including the second tag (512) to a second managed server (102) associated with the second tenant (100B) based at least in part on the second tag (512) identifying the second tenant (100B);wherein the second secure communication appliance (204b) does not communicate with the tenant appliance (202a) at the first tenant (100A) and the first secure communication appliance (204a) does not communicate with the tenant appliance (202b) at the second tenant (100B).
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/040,631 US8972555B2 (en) | 2011-03-04 | 2011-03-04 | IPsec connection to private networks |
PCT/US2012/027388 WO2012121996A2 (en) | 2011-03-04 | 2012-03-02 | Ipsec connection to private networks |
Publications (3)
Publication Number | Publication Date |
---|---|
EP2681874A2 EP2681874A2 (en) | 2014-01-08 |
EP2681874A4 EP2681874A4 (en) | 2014-09-03 |
EP2681874B1 true EP2681874B1 (en) | 2020-01-22 |
Family
ID=46753993
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP12755660.3A Active EP2681874B1 (en) | 2011-03-04 | 2012-03-02 | Ipsec connection to private networks |
Country Status (5)
Country | Link |
---|---|
US (1) | US8972555B2 (en) |
EP (1) | EP2681874B1 (en) |
AU (4) | AU2012225808A1 (en) |
CA (1) | CA2827587A1 (en) |
WO (1) | WO2012121996A2 (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160344547A9 (en) * | 2010-10-04 | 2016-11-24 | Unisys Corporation | Secure connection for a remote device through a virtual relay device |
US9817968B2 (en) * | 2012-10-31 | 2017-11-14 | Unisys Corporation | Secure connection for a remote device through a mobile application |
US9009469B2 (en) | 2013-01-15 | 2015-04-14 | Sap Se | Systems and methods for securing data in a cloud computing environment using in-memory techniques and secret key encryption |
US9331998B2 (en) * | 2013-03-14 | 2016-05-03 | Forty Cloud Ltd. | Dynamic secured network in a cloud environment |
EP3440823B1 (en) * | 2016-04-05 | 2020-09-02 | Zamna Technologies Limited | Method and system for managing personal information within independent computer systems and digital networks |
EP3602377A1 (en) * | 2017-03-30 | 2020-02-05 | McAfee, LLC | Secure software defined storage |
CN108989194B (en) * | 2017-05-31 | 2021-07-09 | 微软技术许可有限责任公司 | Distributed IPSec gateway |
MA49571A (en) | 2017-07-10 | 2021-03-24 | Zamna Tech Limited | METHOD AND SYSTEM FOR DATA SECURITY IN INDEPENDENT IT SYSTEMS AND DIGITAL NETWORKS |
MX2020005746A (en) | 2017-12-06 | 2020-08-20 | Zamna Tech Limited | Method and system for data security, validation, verification and provenance within independent computer systems and digital networks. |
US11533227B2 (en) * | 2020-08-05 | 2022-12-20 | Charter Communications Operating, Llc | Apparatus and methods for optimizing capacity in wireline cable networks with virtual service groups |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030055933A1 (en) * | 2001-09-20 | 2003-03-20 | Takeshi Ishizaki | Integrated service management system for remote customer support |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6986061B1 (en) * | 2000-11-20 | 2006-01-10 | International Business Machines Corporation | Integrated system for network layer security and fine-grained identity-based access control |
US7093280B2 (en) | 2001-03-30 | 2006-08-15 | Juniper Networks, Inc. | Internet security system |
US7062566B2 (en) | 2002-10-24 | 2006-06-13 | 3Com Corporation | System and method for using virtual local area network tags with a virtual private network |
US8458467B2 (en) * | 2005-06-21 | 2013-06-04 | Cisco Technology, Inc. | Method and apparatus for adaptive application message payload content transformation in a network infrastructure element |
US8429630B2 (en) * | 2005-09-15 | 2013-04-23 | Ca, Inc. | Globally distributed utility computing cloud |
US8406421B2 (en) * | 2005-10-13 | 2013-03-26 | Passban, Inc. | Method and system for multi-level secure personal profile management and access control to the enterprise multi-modal communication environment in heterogeneous convergent communication networks |
US7853691B2 (en) * | 2006-11-29 | 2010-12-14 | Broadcom Corporation | Method and system for securing a network utilizing IPsec and MACsec protocols |
US8055789B2 (en) | 2007-03-27 | 2011-11-08 | Amazon Technologies, Inc. | Configuring intercommunications between computing nodes |
US20110299547A1 (en) * | 2010-06-04 | 2011-12-08 | Wael William Diab | Method and system for managing energy costs utilizing a broadband gateway |
CA2913167C (en) * | 2009-04-01 | 2018-06-12 | Nicira, Inc. | Method and apparatus for implementing and managing virtual switches |
US20120054624A1 (en) * | 2010-08-27 | 2012-03-01 | Owens Jr Kenneth Robert | Systems and methods for a multi-tenant system providing virtual data centers in a cloud configuration |
US8675669B2 (en) * | 2011-01-05 | 2014-03-18 | Alcatel Lucent | Policy homomorphic network extension |
-
2011
- 2011-03-04 US US13/040,631 patent/US8972555B2/en active Active
-
2012
- 2012-03-02 AU AU2012225808A patent/AU2012225808A1/en not_active Abandoned
- 2012-03-02 CA CA2827587A patent/CA2827587A1/en not_active Abandoned
- 2012-03-02 EP EP12755660.3A patent/EP2681874B1/en active Active
- 2012-03-02 WO PCT/US2012/027388 patent/WO2012121996A2/en active Application Filing
-
2016
- 2016-10-21 AU AU2016247191A patent/AU2016247191A1/en not_active Abandoned
-
2018
- 2018-09-20 AU AU2018233003A patent/AU2018233003A1/en not_active Abandoned
-
2020
- 2020-10-23 AU AU2020257158A patent/AU2020257158A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030055933A1 (en) * | 2001-09-20 | 2003-03-20 | Takeshi Ishizaki | Integrated service management system for remote customer support |
Also Published As
Publication number | Publication date |
---|---|
AU2016247191A1 (en) | 2016-11-10 |
AU2020257158A1 (en) | 2020-11-19 |
EP2681874A4 (en) | 2014-09-03 |
CA2827587A1 (en) | 2012-09-13 |
US8972555B2 (en) | 2015-03-03 |
AU2018233003A1 (en) | 2018-10-11 |
WO2012121996A3 (en) | 2012-11-01 |
WO2012121996A8 (en) | 2013-04-25 |
AU2012225808A1 (en) | 2013-08-29 |
EP2681874A2 (en) | 2014-01-08 |
US20120226792A1 (en) | 2012-09-06 |
WO2012121996A2 (en) | 2012-09-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2681874B1 (en) | Ipsec connection to private networks | |
US20230421509A1 (en) | Extension of network control system into public cloud | |
US9525666B2 (en) | Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks | |
US10417428B2 (en) | Methods and systems for providing and controlling cryptographic secure communications terminal providing a remote desktop accessible in secured and unsecured environments | |
US11044238B2 (en) | Secure communications among tenant virtual machines in a cloud networking environment | |
EP2873214B1 (en) | Virtual gateways for isolating virtual machines | |
EP3731463A1 (en) | Extension of network control system into public cloud | |
AU2020200907A1 (en) | Automated provisioning of virtual machines | |
US20140019745A1 (en) | Cryptographic isolation of virtual machines | |
US20200252411A1 (en) | Enterprise security management packet inspection and monitoring | |
US10735387B2 (en) | Secured network bridge |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20130815 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAX | Request for extension of the european patent (deleted) | ||
A4 | Supplementary search report drawn up and despatched |
Effective date: 20140805 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 29/06 20060101AFI20140730BHEP |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20170228 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTG | Intention to grant announced |
Effective date: 20191029 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 1227665 Country of ref document: AT Kind code of ref document: T Effective date: 20200215 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602012067411 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20200122 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200614 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200422 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200423 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200522 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200422 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602012067411 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1227665 Country of ref document: AT Kind code of ref document: T Effective date: 20200122 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20200331 |
|
26N | No opposition filed |
Effective date: 20201023 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200302 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200302 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200331 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200331 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200331 Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602012067411 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: H04L0029060000 Ipc: H04L0065000000 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: MT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200122 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20240327 Year of fee payment: 13 Ref country code: GB Payment date: 20240327 Year of fee payment: 13 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20240325 Year of fee payment: 13 |